b' DEPARTMENT OF HOMELAND SECURITY\n\n      Office of Inspector General\n\n\n      Enhanced Configuration Controls and\n       Management Policies Can Improve\n           USCG Network Security\n                 (Redacted)\n\n\n\n\n    Notice: The Department of Homeland Security, Office of Inspector General, has redacted\n    this report for public release. A review under the Freedom of Information Act will be\n    conducted upon request.\n\n\n\n\nOIG-08-82                                                             August 2008\n                                           1\n\x0c\x0cBackground\n\nA system\xe2\x80\x99s network connections are the primary targets of most information technology\n(IT) security attacks. Network connectivity has become an intrinsic part of conducting\nbusiness; thus, making security planning and controls very important. Network security\nencompasses remote access, network tuning and monitoring, external connections,\nboundary protection, internet usage, electronic mail security, and vulnerability\nmanagement. Sound network security practice dictates that all network connections be\nidentified and that threats and vulnerabilities associated with these connections be\nanalyzed. The network infrastructure is the first line of defense between the Internet and\nnetworked information systems. Network security monitoring, detection, and analysis\nare key functions and are critical to maintaining the security of networked information\nsystems. Vulnerability management, which is a combination of detection, assessment,\nand mitigation of weaknesses, is critical to reducing the risks associated with\nunauthorized access to network devices, systems, and data.\n\nInformation systems and networks are necessary for USCG business. Communications\ncapabilities are needed by USCG personnel stationed on land, as well as those individuals\nthat are at sea on its cutters. The Coast Guard Data Network Plus (CGDN+) supports\nUSCG\xe2\x80\x99s sensitive, operational, and administrative information systems, as well as\nunclassified e-mail transmission and delivery. The CGDN+ Backbone is a modern\ncommon-user Transmission Control Protocol/Internet Protocol routed wide area network\n(WAN). The Backbone allows the transfer of sensitive information across the WAN.\nThe Backbone design supports all Coast Guard districts and major commands. The\nnetwork infrastructure extends across the continental U.S., and includes Alaska and\nHawaii.\n\nThe CGDN+ backbone consists of\n                                      . The CGDN+ system infrastructure includes\n                                                                    systems. Four point of\npresence (POP) sites control access to CGDN+. Each POP supports external routers that\nprovide for the transfer of sensitive but unclassified operational and administrative\ninformation. The firewall provides filtering of network traffic to protect against security\nintrusions, as well as controlling and authenticating access to each POP. The POP sites\nare:\n\n   \xe2\x80\xa2   USCG Commandant (COMDT), located in                     .\n   \xe2\x80\xa2   USCG Financial Center (FINCEN), located in                .\n   \xe2\x80\xa2   USCG Operations Systems Command (OSC), located in                              .\n   \xe2\x80\xa2   USCG Electronics Systems Support Unit (ESU), located in                    .\n\nCoast Guard cutters in port are provided pier side connectivity to CGDN+ by their\nrespective supporting stations, via a T1 capable link. When at sea, minimal connectivity\nto CGDN+ is provided through a commercial satellite link, which must employ\n            for transmission security. The shipboard network connections generally\n\n\n\n                                             2\n\n\x0cconsist of a router, switch, virtual private network, servers, and workstations. Network\nand system security patches and updates are deployed when the cutters               .\n\nThe USCG\xe2\x80\x99s Telecommunications and Information Systems Command (TISCOM)\ncentrally manages CGDN+ and the POPs. Additionally, cutter connectivity to CGDN+ is\nentirely under the purview of TISCOM. TISCOM is responsible for all issues relating to\nthe           security of CGDN+, including the configuration management of the\n                  , providing guidance to the POP sites when policy changes require\nmodification of the                  , maintaining and replacing cutter network devices,\nmanaging backups, alert notifications, and incident response. The POP site teams are\nresponsible for providing and maintaining remote access service engineering support for\naccess to CGDN+ 24 hours a day/7 days a week.\n\nIn addition to assessing the security of the                 for CGDN+ at the POPs and\naboard four selected USCG cutters, we conducted wireless scans for possible rogue\nnetwork access points at the POP sites and aboard the cutters. We also interviewed\nTISCOM personnel regarding network administration and evaluated access control and\nother security policies implemented to protect its network devices, systems, and data.\nThe diagram below depicts an overview of CGDN+, and the devices and locations where\nwe performed testing.\n\n\n\n\nSource:\n\n\n                                            3\n\n\x0cResults of Audit\n\nThe overall security posture of the CGDN+ infrastructure is good. Network\nsecurity         are effectively protecting USCG\xe2\x80\x99s network and data. Redundant\nfirewalls are protecting each of the POP sites.            firewalls are configured to block\nconnection attempts to scan the network. Auditing and logging is performed by a syslog\nserver, and firewall logs are monitored daily for intrusion attacks. TISCOM employs two\nintrusion detection applications, which run simultaneously and are used to actively\nmonitor and analyze incoming and outgoing network traffic 24 hours a day/7 days a\nweek. No rogue network access points were discovered. We verified that USCG cutter\nnetwork devices and system connections are patched when they                    ; and\nphysical access to network devices aboard the cutters is restricted. Overall, the USCG\xe2\x80\x99s\nmanagement of its network security is consistent with a majority of the policies,\npractices, and controls required by the Department of Homeland Security\xe2\x80\x99s (DHS) 4300A\nSensitive Systems Handbook, DHS\xe2\x80\x99 CISCO Router Secure Baseline Configuration Guide,\nand the National Institute of Standards and Technology Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems.\n\nWhile USCG has been vigilant in its efforts to secure its network infrastructure, we\nidentified system vulnerabilities and areas of noncompliance with DHS\xe2\x80\x99 configuration\n         on its network                   . If these issues are not addressed, they may\ncompromise USCG\xe2\x80\x99s                security. In addition, important policies and procedures\nrelated to network access controls have not been developed. The additional measures we\nare recommending can be easily implemented without affecting USCG operations and\nwill decrease the risks associated with the issues we identified.\n\n                                                  Should Be Addressed\n\nA number of management, operational, and technical controls impact network security,\nincluding identification and authentication controls, audit logging, integrity controls, and\nperiodic reviews of programs/systems to determine whether changes that could adversely\naffect security have occurred. While USCG has implemented the majority of these\ncontrols, we identified several         configuration\n                                      on its network           security          that could\nadversely impact the security of its network infrastructure. Specifically, we identified:\n\n\xe2\x80\xa2\n        .\n\xe2\x80\xa2\n                                                                                            .\n\xe2\x80\xa2\n                                  .\n\xe2\x80\xa2                                                                                       .\n\xe2\x80\xa2                                                                       .\n\xe2\x80\xa2\n                                                                    .\n\n\n\n                                             4\n\n\x0c\xe2\x80\xa2                                         .\n\xe2\x80\xa2                                                                                         .\n\xe2\x80\xa2\n                 .\n\nPer DHS guidance, firewalls, when used in concert with a variety of additional security\ncontrols, such as IDSs and authentication procedures, provide a level of assurance that\nunauthorized personnel will be unable to access departmental systems and have proven to\nbe an effective means for securing a network. DHS requires that:\n\n\xe2\x80\xa2\n             .\n\xe2\x80\xa2                                             .\n\xe2\x80\xa2                                                                           .\n\xe2\x80\xa2\n                                                                        .\n\xe2\x80\xa2\n                                                                    .\n\xe2\x80\xa2                                                               .\n\xe2\x80\xa2                                                           .\n\xe2\x80\xa2                                                                                     .\n\xe2\x80\xa2\n                                                       .\n\n\xe2\x80\xa2                                                                                 .\n\nThe use of                                                           are inherently critical\nhigh-risk vulnerabilities. While the risk to USCG\xe2\x80\x99s network infrastructure for the\nmajority of the vulnerabilities identified above could be considered low, together they\npresent a medium to high risk because they can potentially provide an attacker with the\nmeans to gain unauthorized access to USCG\xe2\x80\x99s network. For example, an attacker can use\n                                                                                   and gain\nunauthorized access to the USCG network. The unauthorized or the non-intended use of\n                poses a potential avenue for unfettered or even covert access to other\ndevices or systems within the infrastructure. The use of                              is\nassociated with numerous vulnerabilities from attackers gaining access to\n            with network\n                                . USCG needs to address these\n                involving the configuration                           allowed on CGDN+ to\nbetter protect the confidentiality, integrity, and availability of its systems and data, and\ncomply with DHS requirements.\n\n\n\n\n                                                  5\n\n\x0cAdditional Policies and Procedures Should Be Developed\n\nUSCG has implemented guidelines and procedures pertaining to wireless access, standard\nconfigurations for workstations, patch management, and incident detection and response.\nHowever, USCG has not developed an access control policy or remote access policy to\ngovern employees\xe2\x80\x99 access to the USCG network via modem or accessing the USCG\nnetwork via the Internet. Additionally, USCG management acknowledged that its\nemployees are\n        .\n\nPer DHS policy, components are required to implement access control measures that\nprovide protection from unauthorized alteration, loss, unavailability, destruction, or\ndisclosure of information. Access control policies are designed to reduce the risk of an\nindividual acting alone from engaging in fraudulent or malicious behavior. Data\ncommunication connections via modem are to be limited and tightly controlled because\nthese connections can be used to circumvent security controls intended to protect DHS\nnetworks. Data communication connections are not allowed unless the component\xe2\x80\x99s\nInformation Systems Security Manager has authorized them. Furthermore, DHS policy\ndoes not allow the\n                 DHS information and systems.\n\nThere are significant security risks associated with remote access and dial-in capabilities.\nProper procedures and management of network connections are vital in mitigating these\nrisks. If untrusted or uncleared persons obtain unauthorized access, they can violate the\nintegrity, confidentiality, and availability standards of the department. Furthermore,\nthough USCG uses                                      to ensure that its\n\n\n                              . For example, USCG does not verify that\n                                               to reduce the risks of compromising\nCGDN+. Therefore, USCG has no reasonable assurance that the employees\xe2\x80\x99 personal\n                      to the level that is acceptable in accordance with DHS security\npolicy and practices.\n\nRecommendations\n\nWe recommend that the Coast Guard Commandant direct the Chief Information Officer\n(CIO) to:\n\n   Recommendation #1:                or otherwise address the      configuration\n                                          in accordance with DHS policy, including the\n   use of                                                .\n\n   Recommendation #2:\n                   .\n\n\n\n                                             6\n\n\x0c   Recommendation #3: Ensure that \n\n                , are    .\n\n\n   Recommendation #4: Develop and implement security procedures for quarterly\n   firewall testing, perimeter security testing, access control, and remote access.\n\n   Recommendation #5: Prohibit the use \n\n                                 DHS information and systems. \n\n\nManagement Comments and OIG Analysis\n\nWe obtained written comments on a draft of the report from Chief of Staff for USCG. \n\nWe have included a copy of the comments in Appendix A. The Chief of Staff concurred \n\nwith four of the five recommendations. The Chief of Staff for the USCG partially \n\nconcurred with recommendation #5 because USCG will request a waiver from the DHS \n\nrequirements. We reviewed the USCG management\xe2\x80\x99s response and agree that the steps \n\nUSCG plans to take satisfy the recommendations. \n\n\n********************* \n\nWe conducted our audit from October 2007 to May 2008 under the authority of the \n\nInspector General Act of 1978, as amended, and according to generally accepted \n\ngovernment auditing standards. \n\n\n\n\n\n                                          7\n\n\x0cAppendix A\nManagement Response\n\n\n\n\n                      8\n\n\x0cAppendix A\nManagement Response\n\n\n\n\n                      9\n\n\x0cAppendix A\nManagement Response\n\n\n\n\n                      10 \n\n\x0cAppendix B\nMajor Contributors to This Report\n\n\n                   Information Security Audits Division\n\n                   Edward G. Coleman, Director\n                   Barbara Bartuska, Audit Manager\n                   Tarsha Cary, Senior Auditor\n                   Michael Horton, IT Officer\n                   Thomas Rohrback, IT Specialist\n                   Erin Dunham, Referencer\n\n                   Advanced Technology Division\n\n                   Richard Saunders, Director\n                   Steve Matthews, Manager\n                   Vincent Feaster, Electrical Engineer, SPAWAR\n                   David Phelps, Computer Scientist, SPAWAR\n                   Chad Cravens, Computer Scientist, SPAWAR\n                   Birdie Rueangvivatanakij, Senior Security Analyst, Devine\n                   Consulting\n\n\n\n\n                                       11 \n\n\x0cAppendix C\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Under Secretary, Management\n                      Assistant Secretary for Policy\n                      Assistant Secretary for Public Affairs\n                      Assistant Secretary for Legislative Affairs\n                      Chief Information Officer\n                      Chief Information Security Officer\n                      DHS Audit Liaison\n                      Chief Information Officer, USCG\n                      Deputy Chief Information Officer, USCG\n                      Chief, Office of Communications Systems, USCG\n                      Information Systems Security Manager, USCG\n                      Audit Liaison, USCG\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                                         12                                       \n\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2   Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2   Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2   Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2   Write to us at:\n          DHS Office of Inspector General/MAIL STOP 2600, Attention:\n          Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n          Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'